diff -Nru adsys-0.9.2~20.04.1/debian/changelog adsys-0.9.2~20.04.2/debian/changelog --- adsys-0.9.2~20.04.1/debian/changelog 2023-04-27 18:10:35.000000000 +1200 +++ adsys-0.9.2~20.04.2/debian/changelog 2023-05-26 15:57:39.000000000 +1200 @@ -1,3 +1,12 @@ +adsys (0.9.2~20.04.2) focal; urgency=medium + + * Fix processing of domain names to correctly parse '-' characters + when creating valid dbus object paths, enabling domains with + '-' to work, e.g. "test-example.com". (LP: #2020834) + - internal/ad/ad.go + + -- Matthew Ruffell Fri, 26 May 2023 15:57:39 +1200 + adsys (0.9.2~20.04.1) focal-security; urgency=medium * No change build due to golang-1.18 update diff -Nru adsys-0.9.2~20.04.1/internal/ad/ad.go adsys-0.9.2~20.04.2/internal/ad/ad.go --- adsys-0.9.2~20.04.1/internal/ad/ad.go 2022-08-04 21:25:29.000000000 +1200 +++ adsys-0.9.2~20.04.2/internal/ad/ad.go 2023-05-26 15:57:35.000000000 +1200 @@ -175,7 +175,7 @@ sssCCName := filepath.Join(args.sssCacheDir, "ccache_"+strings.ToUpper(domain)) sssdDbus := bus.Object(consts.SSSDDbusRegisteredName, - dbus.ObjectPath(filepath.Join(consts.SSSDDbusBaseObjectPath, strings.ReplaceAll(domain, ".", "_2e")))) + dbus.ObjectPath(filepath.Join(consts.SSSDDbusBaseObjectPath, domainToObjectPath(domain)))) if url != "" && !strings.HasPrefix(url, "ldap://") { url = fmt.Sprintf("ldap://%s", url) @@ -196,6 +196,22 @@ }, nil } +// domainToObjectPath converts a potential dbus object path string to valid hexadecimal-based equivalent as encoded +// in sssd. +// The separator in the domain is converted too. +func domainToObjectPath(s string) string { + var r string + for _, c := range s { + if (c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') || + (c >= 'a' && c <= 'z') || c == '_' { + r += string(c) + continue + } + r = fmt.Sprintf("%s_%02x", r, c) + } + return r +} + // GetPolicies returns all policy entries, stacked in order of priority.GetPolicies // It lists them, check state in global local cache and then redownload if any new version is available. // It uses the given krb5 ticket reference to authenticate to AD.